Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

ANNOUNCEMENT: Answers is being migrated to a brand new platform! answers.splunk.com will be read-only from 5:00pm PDT June 4th - 9:00am PDT June 9th. Please read this Answers thread for all details about the migration.

Welcome to Splunk Answers! Not what you were looking for? Refine your search.

Why are events that are sent to splunktcp://9816 from one Universal Forwarder to another UF going into the main index?

0

Events sent from one Universal Forwarder to another UF are going directly into the main index, even after I have specified index and sourcetype in the inputs.conf file on the receiving forwarder. How to avoid this?

1 Answer

I have only seen this one time and I am not sure if this will apply to your case but it's worth a shot. Where I work we have multiple departments that utilize Splunk and sometimes when the Universal Forwarder gets rolled out to a device, another company already had rolled it out. What happens then is that our deployment server takes over and sends the custom apps to the UF but it keeps the previous departments inputs and outputs.conf files. What I noticed is when this happens, sometimes the data will go to our main index because of what the other department specified in their inputs/props/transforms due to the conf files conflicting with each other.

It may be beneficial to at least check the /etc/apps folder to see if there are any additional apps directories that you do not recognize, or if you do recognize things like TA-Windows might have additional inputs.conf that you didn't originally write.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.